Well, I passed. And when I got my e-mail my first thought was...THANK GOD IT'S OVER!

I'd read a slew of reviews about the course before signing up but what I read and tried to prepare myself for just did not match the reality. Sure, there's a ton out there warning that this course requires a ton of extra work, self study, and is intense, etc. But really, does "Getting shot really hurts" or "Rectal examinations are really uncomfortable" adequately describe the real thing?

I spent a couple of months working through the labs. I work full time so almost every minute I wasn't at work was spent on my computer, in the labs. Weekday evenings? OSCP. Weekends? OSCP. Kid's activities? Sometimes. House maintenance? Television? HA! OSCP was present in damn near every waking moment of my life. As I waited for my exam day, I looked forward to getting my life back.

The OSCP doesn't so much teach you as it tests you. Based on my experience, I would say that OSCP was 50% instruction, 45% learn on your own, 5% getting hints from other students. Something that occurs to me is that most books I've used to learn the subject matter are high on content but low on the ability to apply/practice that knowledge. That is, most of them gave me a wealth of info/techniques but no practical/legal way to practice. OSCP is the opposite. You have a great playground but need to find/develop the info/techniques yourself.

I learned a ton. Enough to make my eyeballs explode out of my head; I can thank Offsec for that. I can also say that there's room for improvement. (I am kind of surprised there was no student feedback form after my lab/exam, I thought that was pretty standard for most courses/certs.) Anyway, there are so many positive reviews out there, 99% probably, so my review points out things that I didn't like or think need improvement. For that reason, it may come across as overly negative and/or critical but I want to state unequivacably that this is not a bad cert. IMHO, it's just not for everyone.

This cert was particularly challenging for me because I'm not a pentester and this is only my second security cert (the other being CEH). I do have a lot of coding experience and have worked with/around computers since graduating college but I had to work my ass off for the OSCP. Anyway, for someone looking at the OSCP for the first time, there are tons of positive reviews out there, don't base your opinion on my experience, check the others out.

ENTRY-LEVEL REDEFINED-----------------------------------

I pulled this from the OffSec website:

Penetration Testing with BackTrack is an entry-level course but still requires students to have certain knowledge prior to attending the class. A solid understanding of TCP/IP, networking, and reasonable Linux skills are required.

I think when most people hear "entry level" they think of their grade school algebra course, or beginning physics, or something similar. For me, the OSCP was about as entry level as Calculus & Quantum Mechanics are entry level mathematics & physics. Really, the first clue should be: 24 hour exam. I initially thought this course was for the neophyte pentester, someone who wanted to break into the field. However, as I progressed through the material and labs, I started to wonder. On one hand, much of the material and some of the lab machines require experience/knowledge far beyond what it provided by the training. Conversely, in other cases the instructions seem very much geared toward a novice pentester and were presented in a very simplistic, detailed, and easy to follow manner. Again, and I'll probably repeat this many times, a pentester might have looked at stuff I struggled with and said, "Everyone knows THAT!!!!"

For an entry level course, the OSCP is decidedly uneven, instructionally speaking. Initially it starts out very basic going so far as to tell you how to start an FTP server. Progress through the buffer overflow section is equally precise and easy to follow. One big help is your own box to experiment on, one not accessible by anyone but the student. That way if something doesn't work, you can rule out another student or leftover exploits. However in the latter modules, the instructional quality falls off dramatically as does the ability to practice techniques using the XP client you're provided. For example, the port forwarding section isn't covered well at all and you're given no ability to practice outside of the student lab machines.

Next, while the course covers most of the stages of penetration testing individually, it's up to the student to put them together. This means the student has to feel his way though the labs on his own. The danger in this is that the student may be learning things in a less than correct manner. Maybe it's just me, but "I learned most of what I know on my own through blogs and wikipedia," is NOT what I want to hear from my doctor or financial planner.

THE LABS-----------------------------------

The labs are the shining part of this cert. A veritable playground where you can hone your skills without fear of the FBI or other law enforcement agency banging down your door. It's easy to freeze a service or machine as you sling exploits at it and being able to revert a particular server to its original state was critical. I wish that we were given more than 6 reverts in a 24 hour period. One thing I discovered while rooting boxes is that other students failed to clean up after themselves. So I'd get on a box and discover left over exploits or services open that weren't intentionally left open. So I got into the habit of reverting a box before I started to really work on it. Problem was, if I used a revert or two on it as I worked it (easy to do on some of the more fragile services), I'd be out of reverts in no time.

Another problem I had with the labs was that there was no clear route to what is attainable at a given stage. Realistically, most working folk will probably only be able to complete 1-2 modules per week. So your average student will be able to start getting shells and rooting machines by the 3rd week or so. So I'm banging my head against one machine - you know "Try Harder" - for hours, days even, only to find out (thanks to a helpful student on IRC) that I'm not going to be able to get that machine until I get through module X. Great.

Also some of the servers seemed spookily unaligned with a 101 class. Say you're in Algebra 101 and at the end of Chapter 5 they tell you to do the exercises but, by the way, to make things challenging, we threw in some Geometry, Trig, & Calculus questions. Good luck! The big problem is that you don't know if the machine you're banging your head on is an Algebra question or a Calculus one. Try Harder will likely not cut it either. I can throw a 5th grader a Quantum physics question and tell him Try Harder all day but it ain't going to cut it.

The training also lacks a full on end to end example. You're given the basics of each fundamental step of the process (scanning, enumeration, etc) but never given a run through of the getting into a box, why this exploit was chosen over that one, why this payload did work while that one didn't, etc, etc. Unfortunately, what ended up happening with me, at least initially, is point-shoot-miss, point-shoot-miss, point-shoot-hit. Battleship anyone?

THE MATERIAL-----------------------------------

The Muts videos were excellent. The problem I had was that they often were used to supplement the PDF rather than complement it. Early on, I found holes in the manual that cost me hours, only to find out that the video got it right. I find it easier to reference a manual than a slew of videos so I wish the manual were a bit more thorough and the videos were used to add that extra bit rather than fill in the gaps.

I was disappointed by the number of errors in the lab manual. For example the manual is all about using Ollydbg but in the exercise lab provided, it's Immunity Debug. Are they similar/same? Yes. But for the amount of money it costs, is it too much to ask for updated screen shots in a PDF? I could see if they referenced a tool from BT 4 that changed in BT 5 or if we were shipped a printed manual...but a PDF? Case in point, a line of python code from the book:

Code:

print “Fuzzing ” + command + " with length:" +str(len(string))

And the (supposed) corresponding output:

Code:

Fuzzing MKD:1

Doesn't take a programming genius to see there's something not right here. These admittedly minor quibbles are quality control issues that I wouldn't even bring up if it were a $30-$50 textbook, but for a $800 class? One thing that could alieviate these issues is if Offsec were to implement system where students/instructors could post errata to the manual/videos. Might save some questions in the IRC as well.

WHAT SAVED ME-----------------------------------

As I've repeated over and over, I'm not a pentest professional and a lot of networking concepts were foreign to me. What I did have going for me was a strong programming background. I think that's the key to getting through this course and the exam: being strong in a key discipline. It doesn't necessarily have to be programming or networking or pentesting. But if you just learned that python wasn't just a big snake, Bourne Shell isn't the name of the next Ludlum movie, and SQL isn't someone's misspelling of a movie follow-on...Pain X 1000.

I cringe when I read posts/hear from people who think that OSCP is Intro to Hacking where they will come out like Neo or the guy in Swordfish. Again, this is largely a self-taught class that requires you to learn so much on your own, primarily using the web as a resource.

Another thing that helped me was having taken the CEH. While I'm the first to point out the negatives of CEH, it did at least introduce me to some of the basic points of the field. I'd recommend anyone taking this course to at least get a Intro to Ethical HAcking book first.

COST-----------------------------------

No, not the $$. I'm talking about the personal toll this class took on me and my family. (Again, a pentester probably wouldn't have to devote as much time, so my experience might have been on the extreme side.)

I'm normally pretty active, but at the end of this cert I'd gained 6-7 lbs. Not surprising since weeknights and weekends were spent in front of the computer and when it came to eating I'd typically shove whatever was handy down my piehole. Who has time to cook? Did I mention I was spending 20+ hours a week on this cert? Also, midway through, I started to break out and developed a cold due largely to the aforementioned eating habits & inactivity coupled with loss of sleep, and stress. Obviously my work suffered - when you're staying up until 1 or 2 AM working a server or waking up at 3 - 4 AM thinking about a server...concentrating on your day job is difficult.

Because I found it impossible to concentrate with the usual household noises, I had to closet myself in my office at home. So for more than 2 months, I barely saw much less spoke to my family. When my folks would call, I was usually distracted, tired, and/or busy. Family get-togethers, weekend BBqs? Ha, don't make me laugh. And when they did see me, I was often grumpy from lack of sleep or frustration. Of course this all did not make the spousal unit happy. You can only say, "It'll be over soon" so many times.

I have to give my spouse & kids credit - they were very understanding and supportive. But there were of course several times when being ignored for several months caused some spousal tension. More than once, pleas for attention from the wife turned decidedly frosty when met with, "Hold on, I've almost got this server." And there's no guilt trip like having your kids tell you, "Daddy, we miss you" and your wife say, "I want my husband back"...I owe them - my wife in particular - big time.

POST MORTEM-----------------------------------

The challenge in any course is finding the right balance between hand holding and letting the student work things out for themselves.

I think most people will agree that the OSCP falls closer to the right than the left.

IMHO, too much to the left doesn't benefit the student because you're not engaging any brain cells. Too much to the right...there's more of a chance that a key concept or skill is overlooked. Let me clarify that.

For me, figuring stuff out on my own improves my retention; it does not equate to learning "better", i.e. a thorough understanding. I think getting trained by an expert typically beats the learn on your own method. Whatever I did in the labs, I know there are probably easier or more efficient methods, things I didn't think of. There are a couple of services that I was never able to crack...does this mean they just weren't vulnerable or did I miss something? No idea.

I once missed a week in my college statistics class and ended up having to teach myself a chapter over a weekend. What I discovered the next week was that assumpions I had made (or divined), even though I got the right answer, ranged between inefficient and incorrect...thankfully, there was an instructor there to correct my shortcomings. This is why I feel the OSCP wasn't an ideal fit for me.

Learning any skill can be made difficult; I could make learning the alphabet difficult. And none of what I learned in the OSCP (either from the materials or on my own) qualifies as rocket science. But the amount of training is nowhere near what I needed in the labs - I estimate I got less than 50% of what I needed for the lab machines. I personally think a little more instructional information ("Try harder" does not qualify) would improve the quality of the student. Not only that, it might result in an increase in enrollment.

It would be interesting to find out what percentage of OSCPers take the OSCE/EE. My guess is it's around 15% but wouldn't be surprised if it was actually < 10%. Based on my canvasing of OSCPs at work, 1 in 8 (and he was a maybe) would consider the OSCE due to the impact it takes on the individual, his family, time, personal life, work...all of the above. Most give me an unequivicable "NO" (usually preceded with "H3ll" and "F@cking") re. OSCE or higher. The irony here is that the very thing that makes the OSCP so sought after also seems stunt enrollment in the other courses.

I am still interested in ethical hacking but count myself in the "Hell No" category when it comes to continuing the Offsec curriculum. Personally, I prefer something closer to "taught" than "tested". I want something where core concepts/methodology are stressed and there's more of a balance between spoonfed & "you're on your own". Until then, I can teach myself using the web/blogs/books/sites (like EH.net)...just like I did with the OSCP (only minus the labs.) So unless there's a pervasive reason to obtain the cert - Maserati/G6/magic genie - I can't justify putting myself much less my family through another round.

Last edited by DragonGorge on Thu Nov 08, 2012 8:42 pm, edited 1 time in total.

I've said this before, but remember that there is often not a "correct" way to do something, or an "obvious" path to proceed along. I think part of the value of this course is that it gives you a taste of the real world. If you hated the course, you're going to hate dealing with the same uncertainty for every engagement you do professionally. You may regret spending ~$1000 on the course, but that's much better than making an entire career change and having to go about correcting that. There's no revert button in the real world

Definitely a good review though, and a serious "Congratulations!" on the pass. This is a very difficult cert to obtain.

So what's next for you? Are you going to pursue penetration testing, or do you have your sights set on something else?

Good, insightful review, I am glad to see it. I am wondering though, as you mentioned, for someone intending on doing penetration testing, when you aren't taught different ways of achieving an objective, could that develop bad habits later, in addition to limiting one's skillset? I think that maybe some in depth analysis of your exam try from the offsec team could possibly help that.

Right now i'm planning on completing CCNA this month (with more practice after my course and cert), CCNA Security in December, and review of my CPT/CEH material and programming in January followed by an eventual PWB class... still waiting on any kind of word on that.

Congrats on passing the exam, DragonGorge! Your review was good, honest and in depth. I am going currently through the PWB course myself and plan to take the exam within the next 30 days.

Don't let this discourage you if you want to be a pen tester. I am a pen tester/consultant and in my opinion there are things in the course that are more difficult from real world pen testing. This course will have you better prepared than someone that hasn't taken this course. I have taken the Foundstone Ultimate Hacking course in 2004 and the Certified Ethical Hacker course in 2010. Those courses were good for teaching you how to use the tools, but didn't teach you how to be a pen tester. This course does a better job.

In the real world, you can use vulnerability scanners and you have unlimited use of Metasploit, but knowing how to get by without that luxury is one of the good points of the PWB course. In actual pen tests, you don't have time to do everything manually and this is where vulnerability scanners such as Nessus is a time saver. My point is, don't let this discourage you from starting a career as a pen tester.

Congrats on the exam DragonGorge! Looks like everyone is doing well on the exam. I like your review also. I think everyone at some point in the course felt the same way, but I believe the difficulty of the course is what makes it one of the most sought after security courses too. Are the other offsec courses difficult, yes, however, it is very rewarding when you are able to complete them. I say give them another shot.

Congrats on passing the exam DragonGorge. Your write up is really good, I've recently passed the OSCP as well and I loved the course, I learn better by being pushed and for ME the PWB course and exam really pushed me..

I agree with you on how much of a time sink the course can be and the effect it can have on your loved ones and work but I still think it's worth the time and effort (and pain, tears, joys rollercoaster).

I'm not a penetration tester by trade, so a lot of the content was new to me, but it's already given me a better understanding of what is required for that sort of job. Half way through my course my company had an internal pen test and the tester that was on site ran nmap, nessus then metasploit to complete the tests which at the time I thought was "cheating"..

Would I do another OffSec course, yes I probably would but next time I know what to expect so I can better prepare.

So what's next for you? Are you going to pursue penetration testing, or do you have your sights set on something else?

I've got an established career as a programmer and never intended going the pentest route. Switching careers & starting over both in pay and seniority was never a consideration. My company encourages us to not only update but diversify our skills (cue ajohnson's sig) so when several coworkers suggested OSCP I thought, "Hey, that sounds cool!" And since they were paying...what the heck, right?

Along those lines, my time in CEH & OSCP has already helped me in my current job. I have not only picked up a different skill set(virtualization, Linux, Python, networking, Wireshark, et al), I think I'm a better programmer now. At least, I'm a more security-minded programmer not to mention a more paranoid computer user.

Are the other offsec courses difficult, yes, however, it is very rewarding when you are able to complete them. I say give them another shot.

Again, if they're anything like the OSCP - I can't. I just can't do that to my wife/kids again; especially when it's not inline with my current career. I could justify it if I was a pentester, but not for something that amounts to a hobby/outside interest.

When it comes time to take another class/cert, I might try SANS. I have zero interest in CISSP - no offense to any here but it sounds boring. Or I might go an entirely different route, something unrelated to infosec.

One thing I'd like to add regarding the labs - I cracked most of the student labs and roughly half of the IT/Dev machines. I did not get a chance to get any of the admin machines. My point being that breaking into 100% of the network is not a prereq for passing the exam.

Great review and this is one of the most honest I've ever read. You have absolutely right about the balance between the learning pain vs time spend with your family. Instead the fact that Off Sec provides quite quality courses they should have a review of the materials and balance the things a little.

For a fee between 450 - 1500 bucks per cert some aspects can be fixed though.

A Big CONGRATULATION! and enjoy any further decision that you'll take. In the end it's just your personal choice based on your experience

I cringe when I read posts/hear from people who think that OSCP is Intro to Hacking where they will come out like Neo or the guy in Swordfish. Again, this is largely a self-taught class that requires you to learn so much on your own, primarily using the web as a resource.

Not even after OSCE, will one become Neo or the guy in Swordfish

The reason why I like OffSec's teaching methods, even though they also make people become bald (for ripping out the hair lol ), is that they force you, to think for yourself, search the net for help, go to IRC for perhaps, helpful peers. Learning about pentesting can be a trial and error process, when something doesn't work.

When you're doing it in real life, you want to know the exact implication of running an exploit before even running it. I.e. will it crash lsass and perhaps force the machine to reboot? Will it only crash a single service that will barely affect the system or perhaps a service that affects many users? And how reliable is your exploit with x payload considered the most stable option?

At least, when I reconfigure devices, upload shells, execute commands, send exploits, etc., I try to know or already know as much as I can about all those things. When I don't know much about the target environment, I must make assumptions based on which ports are filtered, which are open, which services are listening, etc.